CISA added CVE-2025-2749 to the Known Exploited Vulnerabilities catalog on 2026-04-20 after confirming active exploitation of a path traversal flaw in Kentico Xperience that lets an authenticated Staging Sync Server user write arbitrary files and achieve remote code execution.
What Is It
CVE-2025-2749 is an authenticated remote code execution vulnerability in Kentico Xperience. According to the NVD description, authenticated users of the Staging Sync Server can upload arbitrary data to path-relative locations, resulting in path traversal (CWE-22) and arbitrary file upload (CWE-434). Because the uploaded content can be executed server-side, the chain ends in remote code execution. The flaw carries a CVSS 3.1 base score of 7.2 (HIGH), vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, but requiring high privileges and no user interaction.
Why It Matters
CISA's KEV listing confirms active exploitation in the wild, with a federal remediation due date of 2026-05-04. Successful exploitation yields full server-side code execution on a CMS that typically fronts public-facing web properties, with HIGH impact across confidentiality, integrity, and availability. Known ransomware campaign use is listed as Unknown in the KEV entry, but the exploitation status alone is enough to drive urgent patching. Public exploitation research from watchTowr Labs and VulnCheck is already available, lowering the bar for attackers to operationalize the bug.
What's Vulnerable
Per the NVD CPE configuration, the affected product is cpe:2.3:a:kentico:xperience in all versions through 13.0.178 (inclusive). The vulnerable component is the Staging Sync Server, which means environments using Kentico's content staging workflow are the primary exposure surface. Any authenticated account with access to the Staging Sync Server endpoint can trigger the chain.
Patch Status
Kentico publishes fixes through its hotfix distribution channel at devnet.kentico.com. CISA's required action: apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal civilian agencies were required to remediate by 2026-05-04.